Optionally allow skipping authentication for preflight requests (CORS)

[idntfy]

Motivation:

• We have an internal single-page application and its api behind oauth2_proxy, so before users could use the app itself or the api they have to be authorized
• In normal environment - staging or production - everything is fine since SPA is making requests to the same host
• But there is a pain during local development of the app, since cross-origin policies kick in when staging api is used for locally running app
• GET requests can be enabled through extending CORS rules and setting XMLHttpRequest.withCredentials to true (so the proxy's cookies would be sent) - as a result if a user was authorized on the staging, for local development a user will act under his own credentials.
• However, POST requests require pre-flight requests to be sent out. Due to w3c standards, for preflight requests (OPTIONS) the proxy's cookies cannot be sent even with XMLHttpRequest.withCredentials=true, so POST/PUT/DELETE actions cannot pass unless we allow skipping authentication for preflight requests.
• We intend to use it only on staging for speeding up local development, that's why it should be a configurable and disabled by default.
• Due to not so standard and extended usage, oauth proxy is still easiest and fastest way for us to have an authorization for our app.

[idntfy]

Already developed and use it in out infrastructure, preparing a PR now.

[jehiah]

resolved by #370